Leaked Senate encryption bill called 'ludicrous, dangerous' by security experts

Posted:
in General Discussion edited April 2016
A proposed U.S. Senate draft bill that would give courts the authority to compel tech company compliance in law enforcement requests to encrypted data leaked online Thursday night, and by Friday security experts and civil rights advocates were dismantling the policy, calling it ill-informed and potentially dangerous.




The proposed bill, authored by U.S. Senate Intelligence Committee Chairman Sen. Richard Burr (R-NC) and Vice Chair Sen. Dianne Feinstein (D-CA), has been circulating amongst key members of Congress for the past two weeks in a bid to build support prior to vote. According to people familiar with the matter, the version that leaked online is current, Reuters reports.

As described by Open Technology Institute Director Kevin Bankston, the draft bill is the "most ludicrous, dangerous, technically illiterate tech policy proposal of the 21st century."

While not in its final form, the legislation's language appears to offer judges authority to force tech companies like Apple to hand encrypted data over to law enforcement agencies, even if that means breaking into their own devices.

In particular, tech companies furnished with data request warrants would have to deliver said data in "an intelligible format" or provide "technical assistance" to agencies seeking access to passcode protected information. As reported in March, the bill does not stipulate specific penalties for noncompliance, nor does it suggest methods or means by which compelled companies must provide access.

Following last night's leak, Burr and Feinstein issued a joint statement attempting to explain their bill and why it is necessary.

"The underlying goal is simple: when there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out," the statement reads. "No individual or company is above the law."

Reuters cites source as saying President Obama is scheduled to be briefed on the bill by White House chief of staff Denis McDonough next Monday. However, a report on Thursday said the administration is split on the issue, suggesting the White House is unlikely to support the proposal, at least not publicly.

The bill is being floated in direct response to growing concern that law enforcement agencies, unable to break increasingly sophisticated consumer level encryption protocols, lack judicial instruments to force compliance in evidence gathering operations. Speaking to issue was the recent court kerfuffle between the FBI and Apple.

Apple in February was ordered by a federal court to assist the FBI in gaining access to an iPhone tied to San Bernardino terror suspect Syed Rizwan Farook. A day before federal prosecutors were scheduled to meet Apple lawyers in the case's first evidentiary hearing, the government withdrew its motion to compel citing an outside party who demonstrated an eleventh hour passcode workaround. With a working exploit, the FBI's case was rendered moot.

Since then, the FBI has promised to assist in multiple ongoing investigations involving locked iPhones, though whether or not the agency plans to apply its new data access technique is unknown. As it stands, the vulnerability can only be leveraged on older handsets. FBI Director James Comey this week confirmed the exploit does not work on hardware above an iPhone 5c, and the agency is already running into problems newer devices.

Earlier today, the U.S. Justice Department said it plans to continue a long-running Brooklyn court case compelling Apple's assistance in accessing a target iPhone 5s running iOS 7. As in San Bernardino, the company is resisting the All Writs Act order.
brakken
«1

Comments

  • Reply 1 of 29
    muppetrymuppetry Posts: 3,328member
    It surprises me that the implications of proposals of this kind have still not, apparently, been understood by those drafting such bills. Legitimate court orders to hand over data or other material evidence have precedent and make sense, but it is not reasonable to propose that court orders can compel either people or companies to help LE decrypt such data, or provide any non-material assistance or expertise.
    edited April 2016 radarthekattdknoxjes42palomineicoco3jbdragonbadmonk
  • Reply 2 of 29
    radarthekatradarthekat Posts: 3,005moderator
    muppetry said:
    It surprises me that the implications of proposals of this kind have still not, apparently, been understood by those drafting such bills. Legitimate court orders to hand over data or other material evidence have precedent and make sense, but it is not reasonable to propose that court orders can compel either people or companies to help LE decrypt such data, or provide any non-material assistance or expertise.

    Or be forced to become a forensics tool provider.  Imagine you're an engineer working at Apple.  The company, under this new law, is forced to develop a weakened version of iOS to install onto an iPhone that law enforcement wants access to.  The iPhone is unlocked and law enforcement gets evidence crucial to their case.  Eventually there's a court trial, and the defense attorney demands to have its expert inspect the forensic tool to ensure that it didn't alter the evidence it allowed access to.  Now the engineer gets called into court to testify.  Not once and done, but again and again in every case in which the tool was used.  He'd quit his job and move out of the country!  And if the government thinks there should be no concern that the tool gets out into the wild, just wait until all those defense experts are pouring over Apple's iOS source code.  Yeah, this whole thing goes bad real quick.
    nolamacguyration aldesignroseamebaconstangcintosjes42fotoformatlatifbppalomine
  • Reply 3 of 29
    calicali Posts: 3,495member
    You're living in a fantasy world if you think police are saints(some morons do).

    You know how they plant evidence on you?
    This is 10x worse. Anyone they wanna lock up, they can with ease. Either for political reasons or just for laughs.
    magman1979designroseamebaconstangcintosjes42latifbppalomineicoco3lostkiwi
  • Reply 4 of 29
    eideardeideard Posts: 380member
    Wouldn't expect anything more from the scumbags inhabiting Congress.
    magman1979designrjes42latifbplostkiwi
  • Reply 5 of 29
    boltsfan17boltsfan17 Posts: 2,157member
    I don't understand how these morons in Congress fail to see the big picture in what they are proposing. This bill will force tech companies to release products with back doors, otherwise they will fail to comply with the law. This is a disaster waiting to happen. 
    magman1979ration aljes42lostkiwijbdragonbadmonk
  • Reply 6 of 29
    razormaidrazormaid Posts: 299member
    Well first off this bill itself was "leaked"?  as in the very people who wrote it couldn't even keep IT secure?  LOL   Would someone PLEASE do a two minute hack into Feinstein's phone and release it all,over the internet?  It's the ONLY way all of this is going to go away. Where's Snowdrn when we really need him?  I dont expect to see a sex tape of hers, (oh god I hope not anyway), but maybe some top secret stuff leaked directly from her device would give that ill informed mess some idea as to what is at stake here. 
    radarthekatmagman1979nolamacguyoseamebaconstangjes42palominejbdragonbadmonk
  • Reply 7 of 29
    boltsfan17boltsfan17 Posts: 2,157member
    razormaid said:
    Well first off this bill itself was "leaked"?  as in the very people who wrote it couldn't even keep IT secure?  LOL   Would someone PLEASE do a two minute hack into Feinstein's phone and release it all,over the internet?  It's the ONLY way all of this is going to go away. Where's Snowdrn when we really need him?  I dont expect to see a sex tape of hers, (oh god I hope not anyway), but maybe some top secret stuff leaked directly from her device would give that ill informed mess some idea as to what is at stake here. 
    If someone hacked into Feinstein's phone, we would see information about all the hundreds of millions of taxpayer money she illegally funneled into her husbands companies. 
    tallest skilbaconstangSpamSandwichibilljes42icoco3jbdragonbadmonk
  • Reply 8 of 29
    designrdesignr Posts: 464member
    I don't understand how these morons in Congress fail to see the big picture in what they are proposing. This bill will force tech companies to release products with back doors, otherwise they will fail to comply with the law. This is a disaster waiting to happen. 
    What makes you think they don't see the big picture? I think some of them actually do. Which then makes them evil rather than stupid.

    jes42lostkiwijbdragonbadmonk
  • Reply 9 of 29
    in 2011 there were 489 million personal wifi routers being used in america. most of these routers all use 256 bit military grade encryption, called "wpa2 aes". and unlike iPhones, use a "rolling" key which by default changes every hour. at 3pm your wifi group key may be 3pW[+NrI$e8K1.1Qd[hYOX_P#I and at 4pm your wifi group key may be [email protected]@AUnDgk=qVnS!N~6VX^E2vE(9Z)w these keys are disposable and never used again. if someone brute forces your wifi, they have to brute force each time interval separately. and because of this, i believe the senate should force link sys, acer, netgear to keep our temporary disposable keys on file to help the fbi investigate cyber crimes!!!! doesn't that just sound ludicrous ?? so how come wifi gets a get out of jail free card, but apple and google doesn't ? i think wpa2-aes is stopping the fbi form eavesdropping and requires a chip. its only fair if apple has to do it. not even the iPhone or the worst 4096 bit windows ransom ware uses disposable rolling keys.
    edited April 2016 radarthekatbaconstangjes42palominestevehloquiturjbdragon
  • Reply 10 of 29
    the average person believes their wifi password is used to directly encrypt wifi traffic. the average person believes the underlying encryption is stronger if you use a 25 character password versus an 8 character password. this is not true!!!!! the actual network traffic is encrypted using a 256 bit key that changes every hour. all your password does is tell the router you are okay to get the current key
    radarthekatjes42loquiturjbdragon
  • Reply 11 of 29
    SpamSandwichSpamSandwich Posts: 30,840member
    Feinstein is a traitor to the Constitution and hostile to the freedoms guaranteed to us.
    designrradarthekattallest skiljes42mac_dogicoco3stevehloquiturlostkiwijbdragon
  • Reply 12 of 29
    stourquestourque Posts: 354member
    Feinstein is a traitor to the Constitution and hostile to the freedoms guaranteed to us.
    But Chairmain Richard Burr is a patriotic American?
    baconstangcurt12bobschlob
  • Reply 13 of 29
    stourquestourque Posts: 354member
    The tech industry needs to learn that this is the result of not spending billions on lobbying like the pharmaceutical, oil, and firearms industries.
    baconstangloquiturlostkiwijbdragonSpamSandwich
  • Reply 14 of 29
    robjnrobjn Posts: 203member

    the legislation's language appears to offer judges authority to force tech companies like Apple to hand encrypted data over to law enforcement agencies
    No. They don't want Apple to "hand encrypted data over".

    They want Apple to find a way to decrypt the encrypted (destroyed) data for them and give them either an encryption key, access to the key (as in unlocking a passcode or password on a phone) or decrypted data they can read.
    jes42tallest skiljbdragon
  • Reply 15 of 29
    CMA102DLCMA102DL Posts: 121member
    It is a full time job assisting the DoJ, who can get anything done and make some money here.
  • Reply 16 of 29
    I think it's time the media made an example of politicians that are advocating the destruction of privacy and basic security. E.g. "Richard Burr and Sen. Dianne Feinstein want to make it easy for criminals to get access to your bank account." Since it's this exact kind of hyperbole that they use to justify their ridiculous legislation.
    palomineretrogustolostkiwijbdragonbaconstang
  • Reply 17 of 29
    wonkothesanewonkothesane Posts: 1,344member
    I am sure this is not restricted to one country; when you encounter some draft like this it makes you worry just how knowledgable decision makers are on other subjects as well. You'd think they may not be, but surely have all these experts that help them come to a fact based decision. Well, even my 7 year old daughter has given up believing in the existance of pink unicorns at one point...

    On the less funny side, these are exactly examples why trust in government and all institutions around is fading away. Some things simply won't be remedied by saying "oops" and "we're so sorry that this sensitive information has leaked"/"we were not knowing about the full consequences of our proposition".

    To be clear: I do not claim politicians and officials must be flawless, they are human after all. However, my perception is that more and more they don't care about hiding incompetence, or hidden agendas, or whatever keeps them from performing in the people's best interest.
    palominelostkiwi
  • Reply 18 of 29
    What these legislators don't seem to get is that every technology developed for the military or law enforcement eventually makes it out into the wild in some form or other, and eventually becomes a commercial product. A backdoor or special super-secret government-only key will also make it out into the wild, and that is bad for EVERYONE.

    This is not one of those "if you're not doing anything wrong, then you've got nothing to worry about" situations. It's more like, political adversaries could hack each other, nations could steal state secrets of other nations, companies could steal R&D from each other, politicians' personal lives could be hacked, etc.

    Bad guys will just use other means to plot & scheme their nefarious deeds. Ordinary citizens will be vulnerable to these bad guys. But, ironically, it's the powerful people and institutions who are under the greatest threat from "backdoored" personal devices.
  • Reply 19 of 29
    tallest skiltallest skil Posts: 43,399member
    I think it’s time the media made an example of politicians...
    I’m sorry, why would they do that when they’re owned by the government? What on Earth makes you think the media has any intention of actually reporting on news?
    lostkiwijbdragon
  • Reply 20 of 29
    retrogustoretrogusto Posts: 711member
    I think it's fair to expect Apple to hand over any encrypted data to which they have access.

    But it makes no sense to make them decrypt it, or to force them to make products with weaker security. It's just not what they do, or should have to do. Perhaps weapons manufacturers should be forced to decrypt the handset data, or manufacturers of fertilizer and hydrogen peroxide, or whatever else they're using to make bombs these days. And maybe shoe manufacturers (since we all know how dangerous shoes can be in the wrong...hands). And of course drug dealers. Or they could all take turns, since they're all somehow connected to the bad things happening in the world these days. And why should the government have to do this if they can force a private company to do it?
    loquitur
Sign In or Register to comment.